US7240197B1 - Method and apparatus for encryption and decryption in remote data storage systems - Google Patents

Method and apparatus for encryption and decryption in remote data storage systems Download PDF

Info

Publication number
US7240197B1
US7240197B1 US09/618,202 US61820200A US7240197B1 US 7240197 B1 US7240197 B1 US 7240197B1 US 61820200 A US61820200 A US 61820200A US 7240197 B1 US7240197 B1 US 7240197B1
Authority
US
United States
Prior art keywords
disk system
remote
local
data
local disk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related, expires
Application number
US09/618,202
Other languages
English (en)
Inventor
Kenji Yamagami
Akira Yamamoto
Naoko Iwami
Masayuki Yamamoto
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Priority to US09/618,202 priority Critical patent/US7240197B1/en
Assigned to HITACHI AMERICA, LTD. reassignment HITACHI AMERICA, LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: IWAMI, NAOKO, YAMAGAMI, KENJI, YAMAMOTO, AKIRA, YAMAMOTO, MASAYUKI
Priority to JP2001217506A priority patent/JP4065112B2/ja
Assigned to HITACHI, LTD. reassignment HITACHI, LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HITACHI AMERICA, LTD.
Application granted granted Critical
Publication of US7240197B1 publication Critical patent/US7240197B1/en
Adjusted expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/80Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in storage media based on magnetic or optical technology, e.g. disks with sectors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • G06F12/1408Protection against unauthorised use of memory or access to memory by using cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution

Definitions

  • This invention relates to information storage and retrieval, and in particular to encryption of data in storage systems having local and remote locations.
  • data are stored in a local storage system, for example, an array of hard disk drives, and data are also stored in a remote storage system.
  • the use of a remote location for a copy of the data is desirable because it prevents loss of the data from corruption of communications links, natural disasters, or other causes.
  • the remote copy function creates and maintains mirror volumes (duplicate sets) of the local data, but with the volumes of the sets separated by a “long” distance.
  • the two disk systems are directly connected by remote links, through which updates to the data stored on the local disk system are copied to the remote disk system.
  • the remote system typically is coupled to the local system using communication links or a network, for example, ESCON, FC, TI, T3, ATM, etc. or a combination thereof, while suitable protocols are ESCON, SCSI, IP or others.
  • ESCON ESCON
  • FC Fibre Channel
  • TI Transmission Control Channel
  • T3, ATM T3, ATM
  • IP Internet Protocol
  • SSP storage service providers
  • U.S. Pat. Nos. 5,459,857 and 5,544,347 describe remote copy technology which uses a remote link to connect two disk systems, enabling maintaining a duplicate copy, termed “a mirror,” of the local system data on the remote disk system.
  • the local disk system copies data on a local disk when duplication, termed “pair creation,” is indicated.
  • the local disk system transfers the data to the remote disk system through the remote link. Thus no host operation is required to maintain a mirror of two volumes.
  • U.S. Pat. No. 5,933,653 discloses a method for transferring data between a local disk system and a remote disk system.
  • the local disk system transfers data to the remote disk system before completing a write request from a host.
  • the local disk system completes a write request and then transfers the write data to the remote disk system. Succeeding write requests are not processed until the previous data transfer is completed.
  • adaptive copy mode data to be sent to the remote disk system is stored in a memory and transferred to the remote disk system when the local disk system and/or remote links are available for the copy task.
  • This invention provides a technique for assuring the privacy of a customer's data stored in a storage system.
  • Encryption technology is employed in which a key for encryption and decryption is assigned to a volume or a set of volumes. Both the local and the remote disk system use the same key for a pair of volumes or a group of volumes.
  • the keys are changeable without interrupting the host input/output operations to and from the local disk system. In addition, the keys can be periodically changed to improve security.
  • the local disk system which stores the initially created data, encrypts the data to be sent to the remote disk system and sends it to the remote disk system, where it is stored in encrypted form.
  • the local disk system and the remote disk system have a switching mechanism for implementing encryption and decryption.
  • the disk systems can communicate with each other and change the encryption without losing the consistency of the remote copy.
  • a method of controlling security of data in a storage system having a local disk system and a remote disk system includes performing certain steps in the local disk system and in the remote disk system.
  • the steps performed in the local system include: when a write of data is to be made to the local disk system retrieving a previously stored encryption key, encrypting the data, and transferring the data to the remote disk system.
  • the steps performed in the remote system include: retrieving the previously stored encryption key, determining an address for storage of the data, decrypting the data, writing the decrypted data in the remote disk system; and notifying the local disk system that the step of writing the decrypted data is complete.
  • FIG. 1 is a block diagram illustrating the overall configuration of a system according to a preferred embodiment of this invention
  • FIG. 2 is an exemplary encryption control table
  • FIG. 3 is a flowchart illustrating the encryption and decryption process
  • FIG. 4 is a flow chart illustrating a first method of transparent key exchange
  • FIG. 4 b illustrates the concept behind transparent key exchange
  • FIG. 5 is a flow chart illustrating a second method of transparent key exchange
  • FIG. 6 is a flow chart illustrating a first method of controlling encryption
  • FIG. 7 is a flow chart illustrating a second method of controlling encryption.
  • FIG. 8 is a flow chart illustrating a third method of transparent key exchange.
  • encryption is enabled for a storage system having both local and remote disk systems.
  • the assignment of encryption keys to volumes is first discussed with respect to FIG. 1 .
  • Two disk systems referred to as the local disk system 100 and the remote disk system 110 , each include one or more hard disk drives 102 , 112 , optical storage disks, flash memories, or other storage media. While the following description refers to disks, it should be understood that any type of data storage media can be employed.
  • Each disk system also has processors (not shown) on which appropriate software programs run, additional memories for storing control data and tables for the software, etc.
  • One or more host computers 115 connect to at least the local disk system 100 , by the connection of SCSI 122 , Fibre, ESCON, etc. The host computer 115 accesses the disks in the local disk system through the connection 122 .
  • One or more host computers 118 also may be connected to the remote disk system 110 .
  • Management consoles 125 , 130 provide connections to the local, and optionally to the remote disk system, using LAN 133 , proprietary connection 135 , SCSI, Fibre or ESCON, or other well known technique. An administrator manages the disk systems through this management consoles 125 , 130 . If desired, the management console 125 for the local disk system also may connect to the remote disk system.
  • the connection between the local and remote disk systems may comprise ESCON, SCSI, LAN/WAN or Fibre 140 , or combination of them, for example, using a gateway appliance.
  • a key is assigned to a volume or a group of volumes. The same key is assigned to a local volume (or a group of local volumes) and to a remote volume (or a group of remote volumes).
  • the local 100 and remote 110 disk systems maintain an encryption control table 200 as depicted in FIG. 2 .
  • Each entry in the table is indexed by a volume number 240 , thus allowing a separate key to be assigned to each volume. If a key is assigned to a group, entries indexed by volume number of the group will have the same value for the key 210 .
  • the value of key 210 for a volume is the same in both the local disk system and remote disk system.
  • the column designated key 210 shows the key assigned to the volume listed in the column labeled volume 240 , while the encryption 220 and decryption 230 columns indicate the status of encryption, as follows. A “Yes” in column 220 indicates the local system encrypts the data before sending it to the remote disk system.
  • a “No” in column 220 indicates the local system sends ordinary (non-encrypted data) to the remote disk system.
  • a “Yes” in column 230 indicates that the remote system must decrypt the data before using it, while a “No” in column 230 indicates that the remote copy data has been stored in decrypted form and therefore can be used without decryption.
  • FIG. 3 is a flowchart of the encryption and decryption process. Three situations will invoke the remote copy process depicted in FIG. 3 .
  • First when establishing a pair (referred to herein as initial copy), the local disk system 100 copies all data on the local disk to the remote disk 110 .
  • An administrative controller usually provides the local and remote disk addresses, and both local and remote disk systems store this information.
  • the desired remote disk address can be retrieved from the local disk system.
  • the local disk system has stored the relationship between the local disk or volume and the remote disk or volume when the administrator established a pair. This enables the remote disk address to be located.
  • the remote disk system locates the key for the disk.
  • the local disk system knows its local disk address.
  • Steps 300 – 330 illustrate locating the right key at the remote disk system.
  • a write request from the local disk system to the remote disk system includes the remote disk address.
  • the data is sent to the remote disk, decrypted, and stored, all as shown by steps 330 – 340 .
  • a message 350 is sent to the local disk system, informing it of the completion.
  • the local disk system counts the number of I/O requests from the local disk system to the remote disk system for each volume pair. (See step 430 .)
  • the local and remote disk systems perform the operations shown in the flowchart in FIG. 4 .
  • a boundary number is determined which corresponds to the I/O number after which the key is to change.
  • the key is changed.
  • the key is also changed.
  • FIG. 4 b illustrates this process conceptually.
  • the upper time line illustrates operations in the local system, while the lower time line illustrates corresponding operations in the remote system, and that those operations lag the operations in the local system.
  • the key is changed after operation 4 in each of the local and the remote system, and that this change in key occurs at a different time in each system.
  • the request and/or data, sent from local to remote at steps 410 and 440 are encrypted and decrypted by the current key, not the new key.
  • the copy process is running during the operations in FIG. 4 . Therefore I/O requests from local to remote are being processed in parallel with the key change operation.
  • the local disk system must choose an appropriate I/O number at step 440 . It then prevents performing the I/O with that number until step 440 completes.
  • Step 410 Store a new key to a memory and send it to the remote disk system.
  • Step 420 Store the new key to a memory.
  • Step 430 Get the current I/O number of the volume pair.
  • Step 440 Choose the appropriate I/O number (the boundary number) to validate the new key and send it to remote disk system.
  • Step 450 Wait for the I/Os with the boundary number; I/Os with the boundary number or smaller are decrypted with the current key.
  • Step 460 Wait for the I/Os with the boundary number; I/Os with the boundary number or smaller are encrypted with the current key.
  • Step 470 Set the new key to Key 210 ; I/Os with the number greater than the boundary number are encrypted with the new key.
  • Step 480 Set the new key to Key 210 ; I/Os with the number greater than the boundary number are decrypted with the new key.
  • a second method of implementing key exchange, illustrated in FIG. 5 is by using a pair control mechanism such as splitting and re-synchronizing mirrored pairs.
  • a pair control mechanism such as splitting and re-synchronizing mirrored pairs.
  • splitting a mirror the local disk system stops copying data to the remote disk system.
  • the local disk system maintains a list of updates from hosts to the local volume, usually by using a pending bit map.
  • re-synchronizing the mirror the local disk system begins copying pending data to the remote volume by referring to the bit map.
  • the local and remote disk systems perform the operations in FIG. 5 .
  • the local disk system changes its pair status, stops copying data to the remote disk system and begins marking the bit map.
  • the pair status for both local and remote volumes changes to “Suspend,” which means data between local and remote disks is not equivalent.
  • this process may cause the local disk system to communicate with the remote disk system (step 540 ).
  • the local and the remote disk system store the new key in the encryption table 210 .
  • the local disk system changes its pair status and restarts copying in accordance with the bitmap.
  • the data is also copied to the remote system.
  • the pair status switches to “Copy Pending,” which means copy in progress, and then to “Pair,” meaning that the data between local and remote disks is equivalent.
  • this process may cause the local disk system to communicate with the remote disk system (step 580 ).
  • the remote disk system also changes the pair status to “Copy Pending” and then “Pair.”
  • Step 510 Store a new key to a memory and send it to the remote disk system.
  • Step 520 Store the new key to a memory.
  • Step 530 Split the pair (Stop copying data to remote disk system).
  • Step 540 Split the pair.
  • Step 550 Store the new key to Key 210 to validate it.
  • Step 560 Store the new key to Key 210 to validate it.
  • Step 570 Re-synchronize the pair (start copying data to the remote disk system).
  • Step 580 Re-synchronize the pair.
  • Encrypting data may cause performance degradation, and some data does not need encryption.
  • the choice of whether to encrypt or not is a tradeoff between importance of data and performance, and is left to the users' decision.
  • This invention enables the user to choose whether to use encryption and/or decryption. There are two methods enabling turning encryption and decryption on and off. These techniques are depicted in FIGS. 6 and 7 . They use the encryption table of FIG. 2 .
  • Step 630 Get the current I/O number of the volume pair.
  • Step 640 Choose the appropriate I/O number (the boundary number) to switch encryption and decryption off and send it to remote disk system.
  • Step 650 Wait for the I/Os with the boundary number; I/Os with the boundary number or smaller are decrypted with the current key.
  • Step 660 Wait for the I/Os with the boundary number; I/Os with the boundary number or smaller are encrypted with the current key.
  • Step 670 Store “NO” to Encryption 220 and Decryption 230 ; I/Os with the number greater than the boundary number are not encrypted.
  • Step 680 Store “NO” to Encryption 220 and Decryption 230 ; I/Os w/the number greater than the boundary number are not decrypted.
  • Step 730 Split the pair (Stop copying data to remote disk system).
  • Step 740 Split the pair.
  • Step 750 Store “NO” to Encryption 220 and Decryption 230 .
  • Step 760 Store “NO” to Encryption 220 and Decryption 230 .
  • Step 770 Re-synchronize the pair (start copying data to the remote disk system).
  • Step 780 Re-synchronize the pair.
  • the methods for changing a key described in FIGS. 4 and 5 need to be modified.
  • the data stored in the remote disk was encrypted by a first key.
  • the key is changed, the data is encrypted by a second key and stored in the remote disk. This implies data encrypted by two or more different keys are present on the remote disk. Although feasible, it is generally undesirable to maintain different keys for each encrypted portion of the remote disk.
  • the remote disk system re-encrypts all data on the remote disk with the new key.
  • a predetermined amount of data e.g.
  • a track is read from the disk to the cache memory of the remote disk system, decrypted by the current key, encrypted by the new key, and then stored back to the same location on the remote disk.
  • the remote disk system keeps track of this process with a bit map. If the local disk system copies data to a location that has not finished re-encryption, the remote disk system performs the above operation before responding to the local disk system.
  • FIG. 8 illustrates the above process in detail.
  • a copy request (a write I/O request) 810 indicates the location of records or blocks to be updated.
  • the location is a track address and a record number of the heading record, together with the number of records, while with the SCSI protocol, a block address of the heading block and number of blocks are provided.
  • the remote disk system does step 840 to 860 for the track(s) that contain the records or the blocks.
  • the re-encrypted data is written to the disk.
  • Step 800 Set all bits of the re-encryption bitmap to 1 (one).
  • Step 810 Copy request exists from the local disk system? If yes, go to Step 890 . If no, proceed to step 820 .
  • Step 820 All bits of the re-encryption bitmap are 0 (zero)? If yes, the process ends. If no, the process proceeds to step 830 .
  • Step 830 Find the next track whose bit is 1 (one).
  • Step 840 Read a track from the disk to the cache.
  • Step 850 Decrypt the track by the current key.
  • Step 860 Encrypt the track by the new key.
  • Step 870 Write the track from the cache to the disk.
  • Step 880 Set 0 (zero) to the bit of the re-encryption bitmap.
  • Step 890 Do steps 840 to 860 for the track of the request and then execute copy request.
  • the apparatus and methods described in this invention encrypt and decrypt data being transferred between two disk systems.
  • a key for encryption and decryption is assigned to a volume. This protects remote copy data from being misappropriated and/or altered.
  • An administrator can manage encryption because the remote copy is done for a pair or a group of pairs of volumes.
  • This invention also provides a method to change keys transparently.
  • the invention provides a method that enables an administrator to choose when to use encryption and/or decryption, even on a volume by volume-pair basis.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)
US09/618,202 2000-07-18 2000-07-18 Method and apparatus for encryption and decryption in remote data storage systems Expired - Fee Related US7240197B1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US09/618,202 US7240197B1 (en) 2000-07-18 2000-07-18 Method and apparatus for encryption and decryption in remote data storage systems
JP2001217506A JP4065112B2 (ja) 2000-07-18 2001-07-18 リモートデータ記憶システムにおける暗号化と復号化のための方法及び装置。

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US09/618,202 US7240197B1 (en) 2000-07-18 2000-07-18 Method and apparatus for encryption and decryption in remote data storage systems

Publications (1)

Publication Number Publication Date
US7240197B1 true US7240197B1 (en) 2007-07-03

Family

ID=24476742

Family Applications (1)

Application Number Title Priority Date Filing Date
US09/618,202 Expired - Fee Related US7240197B1 (en) 2000-07-18 2000-07-18 Method and apparatus for encryption and decryption in remote data storage systems

Country Status (2)

Country Link
US (1) US7240197B1 (enExample)
JP (1) JP4065112B2 (enExample)

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040153642A1 (en) * 2002-05-14 2004-08-05 Serge Plotkin Encryption based security system for network storage
US20060062383A1 (en) * 2004-09-21 2006-03-23 Yasunori Kaneda Encryption/decryption management method in computer system having storage hierarchy
US20070055891A1 (en) * 2005-09-08 2007-03-08 Serge Plotkin Protocol translation
US20070101143A1 (en) * 2003-11-13 2007-05-03 Yoshiaki Iwata Semiconductor memory card
US20080098217A1 (en) * 2006-10-24 2008-04-24 Pletka Roman A Method for efficient and secure data migration between data processing systems
US20080240434A1 (en) * 2007-03-29 2008-10-02 Manabu Kitamura Storage virtualization apparatus comprising encryption functions
US20080263368A1 (en) * 2007-04-18 2008-10-23 Kyoko Mikami Computer system, management terminal, storage system and encryption management method
US20090067633A1 (en) * 2007-09-11 2009-03-12 International Business Machines Corporation Configuring host settings to specify an encryption setting and a key label referencing a key encyrption key to use to encrypt an encryption key provided to a storage drive to use to encrypt data from the host
US20100083357A1 (en) * 2008-09-30 2010-04-01 Lenovo (Singapore) Pte. Ltd Remote registration of biometric data into a computer
US20100153666A1 (en) * 2008-12-17 2010-06-17 Hitachi, Ltd. Storage system, method for calculating estimated value of data recovery available time and management computer
US7853019B1 (en) 2006-11-30 2010-12-14 Netapp, Inc. Tape failover across a cluster
US7971234B1 (en) 2006-09-15 2011-06-28 Netapp, Inc. Method and apparatus for offline cryptographic key establishment
US7983423B1 (en) 2007-10-29 2011-07-19 Netapp, Inc. Re-keying based on pre-generated keys
US20110188651A1 (en) * 2010-01-29 2011-08-04 Geoffrey Ignatius Iswandhi Key rotation for encrypted storage media using a mirrored volume revive operation
US7995759B1 (en) 2006-09-28 2011-08-09 Netapp, Inc. System and method for parallel compression of a single data stream
US8037524B1 (en) 2007-06-19 2011-10-11 Netapp, Inc. System and method for differentiated cross-licensing for services across heterogeneous systems using transient keys
US8042155B1 (en) 2006-09-29 2011-10-18 Netapp, Inc. System and method for generating a single use password based on a challenge/response protocol
US8171307B1 (en) 2006-05-26 2012-05-01 Netapp, Inc. Background encryption of disks in a large cluster
US8181011B1 (en) 2006-08-23 2012-05-15 Netapp, Inc. iSCSI name forwarding technique
US8190905B1 (en) 2006-09-29 2012-05-29 Netapp, Inc. Authorizing administrative operations using a split knowledge protocol
US8196182B2 (en) 2007-08-24 2012-06-05 Netapp, Inc. Distributed management of crypto module white lists
CN102611548A (zh) * 2011-12-08 2012-07-25 上海华御信息技术有限公司 基于信息传输端口来对信息进行加密的方法及系统
US8245050B1 (en) 2006-09-29 2012-08-14 Netapp, Inc. System and method for initial key establishment using a split knowledge protocol
US20120239944A1 (en) * 2006-09-07 2012-09-20 International Business Machines Corporation Selective Encryption of Data Stored on Removable Media in an Automated Data Storage Library
US8397083B1 (en) 2006-08-23 2013-03-12 Netapp, Inc. System and method for efficiently deleting a file from secure storage served by a storage system
US8489893B2 (en) 2010-01-29 2013-07-16 Hewlett-Packard Development Company, L.P. Encryption key rotation messages written and observed by storage controllers via storage media
CN103414704A (zh) * 2013-07-29 2013-11-27 相韶华 一种通用虚拟数据加密存储系统
US8607046B1 (en) 2007-04-23 2013-12-10 Netapp, Inc. System and method for signing a message to provide one-time approval to a plurality of parties
US8611542B1 (en) 2007-04-26 2013-12-17 Netapp, Inc. Peer to peer key synchronization
US8824686B1 (en) 2007-04-27 2014-09-02 Netapp, Inc. Cluster key synchronization
US8943328B2 (en) 2010-01-29 2015-01-27 Hewlett-Packard Development Company, L.P. Key rotation for encrypted storage media
US9774445B1 (en) 2007-09-04 2017-09-26 Netapp, Inc. Host based rekeying
US20210319120A1 (en) * 2017-07-27 2021-10-14 Citrix Systems, Inc. Secure Information Storage

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7272727B2 (en) * 2005-04-18 2007-09-18 Hitachi, Ltd. Method for managing external storage devices

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5459857A (en) 1992-05-15 1995-10-17 Storage Technology Corporation Fault tolerant disk array data storage subsystem
US5544347A (en) * 1990-09-24 1996-08-06 Emc Corporation Data storage system controlled remote data mirroring with respectively maintained data indices
US5548649A (en) * 1995-03-28 1996-08-20 Iowa State University Research Foundation Network security bridge and associated method
US5933653A (en) 1996-05-31 1999-08-03 Emc Corporation Method and apparatus for mirroring data in a remote data storage system
US6397307B2 (en) * 1999-02-23 2002-05-28 Legato Systems, Inc. Method and system for mirroring and archiving mass storage
US6742116B1 (en) * 1998-09-30 2004-05-25 Fujitsu Limited Security method, security software and security system for electronic communications

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5544347A (en) * 1990-09-24 1996-08-06 Emc Corporation Data storage system controlled remote data mirroring with respectively maintained data indices
US5459857A (en) 1992-05-15 1995-10-17 Storage Technology Corporation Fault tolerant disk array data storage subsystem
US5548649A (en) * 1995-03-28 1996-08-20 Iowa State University Research Foundation Network security bridge and associated method
US5933653A (en) 1996-05-31 1999-08-03 Emc Corporation Method and apparatus for mirroring data in a remote data storage system
US6742116B1 (en) * 1998-09-30 2004-05-25 Fujitsu Limited Security method, security software and security system for electronic communications
US6397307B2 (en) * 1999-02-23 2002-05-28 Legato Systems, Inc. Method and system for mirroring and archiving mass storage

Cited By (51)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060136735A1 (en) * 2002-05-14 2006-06-22 Serge Plotkin Encryption based security system for network storage
US8335915B2 (en) 2002-05-14 2012-12-18 Netapp, Inc. Encryption based security system for network storage
US20040153642A1 (en) * 2002-05-14 2004-08-05 Serge Plotkin Encryption based security system for network storage
US8423780B2 (en) 2002-05-14 2013-04-16 Netapp, Inc. Encryption based security system for network storage
US20070101143A1 (en) * 2003-11-13 2007-05-03 Yoshiaki Iwata Semiconductor memory card
US7716496B2 (en) * 2004-09-21 2010-05-11 Hitachi, Ltd. Encryption/decryption management method in computer system having storage hierarchy
US20060062383A1 (en) * 2004-09-21 2006-03-23 Yasunori Kaneda Encryption/decryption management method in computer system having storage hierarchy
US20070055891A1 (en) * 2005-09-08 2007-03-08 Serge Plotkin Protocol translation
US8898452B2 (en) 2005-09-08 2014-11-25 Netapp, Inc. Protocol translation
US8171307B1 (en) 2006-05-26 2012-05-01 Netapp, Inc. Background encryption of disks in a large cluster
US8397083B1 (en) 2006-08-23 2013-03-12 Netapp, Inc. System and method for efficiently deleting a file from secure storage served by a storage system
US8181011B1 (en) 2006-08-23 2012-05-15 Netapp, Inc. iSCSI name forwarding technique
US9141821B2 (en) * 2006-09-07 2015-09-22 International Business Machines Corporation Selective encryption of data stored on removable media in an automated data storage library
US20160004879A1 (en) * 2006-09-07 2016-01-07 International Business Machines Corporation Selective encryption of data stored on removeable media in an automated data storage library
US9471805B2 (en) * 2006-09-07 2016-10-18 International Business Machines Corporation Selective encryption of data stored on removeable media in an automated data storage library
US20120239944A1 (en) * 2006-09-07 2012-09-20 International Business Machines Corporation Selective Encryption of Data Stored on Removable Media in an Automated Data Storage Library
US7971234B1 (en) 2006-09-15 2011-06-28 Netapp, Inc. Method and apparatus for offline cryptographic key establishment
US7995759B1 (en) 2006-09-28 2011-08-09 Netapp, Inc. System and method for parallel compression of a single data stream
US8042155B1 (en) 2006-09-29 2011-10-18 Netapp, Inc. System and method for generating a single use password based on a challenge/response protocol
US8245050B1 (en) 2006-09-29 2012-08-14 Netapp, Inc. System and method for initial key establishment using a split knowledge protocol
US8190905B1 (en) 2006-09-29 2012-05-29 Netapp, Inc. Authorizing administrative operations using a split knowledge protocol
US7802102B2 (en) * 2006-10-24 2010-09-21 International Business Machines Corporation Method for efficient and secure data migration between data processing systems
US20080098217A1 (en) * 2006-10-24 2008-04-24 Pletka Roman A Method for efficient and secure data migration between data processing systems
US7853019B1 (en) 2006-11-30 2010-12-14 Netapp, Inc. Tape failover across a cluster
US8160257B1 (en) 2006-11-30 2012-04-17 Netapp, Inc. Tape failover across a cluster
US8422677B2 (en) 2007-03-29 2013-04-16 Hitachi, Ltd Storage virtualization apparatus comprising encryption functions
US20080240434A1 (en) * 2007-03-29 2008-10-02 Manabu Kitamura Storage virtualization apparatus comprising encryption functions
US20080263368A1 (en) * 2007-04-18 2008-10-23 Kyoko Mikami Computer system, management terminal, storage system and encryption management method
US8332658B2 (en) * 2007-04-18 2012-12-11 Hitachi, Ltd. Computer system, management terminal, storage system and encryption management method
US8607046B1 (en) 2007-04-23 2013-12-10 Netapp, Inc. System and method for signing a message to provide one-time approval to a plurality of parties
US8611542B1 (en) 2007-04-26 2013-12-17 Netapp, Inc. Peer to peer key synchronization
US8824686B1 (en) 2007-04-27 2014-09-02 Netapp, Inc. Cluster key synchronization
US8037524B1 (en) 2007-06-19 2011-10-11 Netapp, Inc. System and method for differentiated cross-licensing for services across heterogeneous systems using transient keys
US8196182B2 (en) 2007-08-24 2012-06-05 Netapp, Inc. Distributed management of crypto module white lists
US9774445B1 (en) 2007-09-04 2017-09-26 Netapp, Inc. Host based rekeying
US20090067633A1 (en) * 2007-09-11 2009-03-12 International Business Machines Corporation Configuring host settings to specify an encryption setting and a key label referencing a key encyrption key to use to encrypt an encryption key provided to a storage drive to use to encrypt data from the host
US8645715B2 (en) * 2007-09-11 2014-02-04 International Business Machines Corporation Configuring host settings to specify an encryption setting and a key label referencing a key encryption key to use to encrypt an encryption key provided to a storage drive to use to encrypt data from the host
US7983423B1 (en) 2007-10-29 2011-07-19 Netapp, Inc. Re-keying based on pre-generated keys
US8369529B1 (en) 2007-10-29 2013-02-05 Netapp, Inc. Re-keying based on pre-generated keys
US8667577B2 (en) * 2008-09-30 2014-03-04 Lenovo (Singapore) Pte. Ltd. Remote registration of biometric data into a computer
US20100083357A1 (en) * 2008-09-30 2010-04-01 Lenovo (Singapore) Pte. Ltd Remote registration of biometric data into a computer
US20100153666A1 (en) * 2008-12-17 2010-06-17 Hitachi, Ltd. Storage system, method for calculating estimated value of data recovery available time and management computer
US8108639B2 (en) * 2008-12-17 2012-01-31 Hitachi, Ltd. Storage system, method for calculating estimated value of data recovery available time and management computer
US20110188651A1 (en) * 2010-01-29 2011-08-04 Geoffrey Ignatius Iswandhi Key rotation for encrypted storage media using a mirrored volume revive operation
US9032218B2 (en) 2010-01-29 2015-05-12 Hewlett-Packard Development Company, L.P. Key rotation for encrypted storage media using a mirrored volume revive operation
US8943328B2 (en) 2010-01-29 2015-01-27 Hewlett-Packard Development Company, L.P. Key rotation for encrypted storage media
US8489893B2 (en) 2010-01-29 2013-07-16 Hewlett-Packard Development Company, L.P. Encryption key rotation messages written and observed by storage controllers via storage media
CN102611548A (zh) * 2011-12-08 2012-07-25 上海华御信息技术有限公司 基于信息传输端口来对信息进行加密的方法及系统
CN103414704A (zh) * 2013-07-29 2013-11-27 相韶华 一种通用虚拟数据加密存储系统
US20210319120A1 (en) * 2017-07-27 2021-10-14 Citrix Systems, Inc. Secure Information Storage
US11675914B2 (en) * 2017-07-27 2023-06-13 Citrix Systems, Inc. Secure information storage

Also Published As

Publication number Publication date
JP4065112B2 (ja) 2008-03-19
JP2002312223A (ja) 2002-10-25

Similar Documents

Publication Publication Date Title
US7240197B1 (en) Method and apparatus for encryption and decryption in remote data storage systems
US6966001B2 (en) Computing system and data decryption method and computer system with remote copy facility
JP4566668B2 (ja) 記憶階層を有する計算機システムにおける暗号復号管理方法
US7752457B2 (en) Method and apparatus for secure data mirroring a storage system
US8200965B2 (en) Storage system for data encryption
US8140864B2 (en) Computer system, storage system, and data management method for updating encryption key
US8301909B2 (en) System and method for managing external storage devices
JP5117748B2 (ja) 暗号化機能を備えたストレージ仮想化装置
US7958372B1 (en) Method and apparatus to convert a logical unit from a first encryption state to a second encryption state using a journal in a continuous data protection environment
US7899189B2 (en) Apparatus, system, and method for transparent end-to-end security of storage data in a client-server environment
US20080101605A1 (en) Storage system provided with an encryption function
US20100162002A1 (en) Virtual tape backup arrangement using cryptographically split storage
US20050120189A1 (en) Method and apparatus for moving logical entities among storage elements in a computer storage system
JP2009032038A (ja) リムーバブルな暗号化/復号化モジュールが接続されるストレージシステム
CN109995522B (zh) 一种具有密钥协商功能的安全数据镜像方法
US20090172417A1 (en) Key management method for remote copying
JP2009064178A (ja) ストレージ装置及びデータの管理方法
US7689837B2 (en) Storage system, data migration method and management computer
US7243188B2 (en) Method and apparatus for maintaining inventory of logical volumes stored on storage elements
US20090199016A1 (en) Storage system, and encryption key management method and encryption key management program thereof
JP2009064055A (ja) 計算機システム及びセキュリティ管理方法
JP4555049B2 (ja) 計算機システム、管理計算機、及びデータ管理方法
JP4028677B2 (ja) リモートコピーのコンピュータシステム

Legal Events

Date Code Title Description
AS Assignment

Owner name: HITACHI AMERICA, LTD., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:YAMAGAMI, KENJI;YAMAMOTO, AKIRA;IWAMI, NAOKO;AND OTHERS;REEL/FRAME:011004/0479

Effective date: 20000623

AS Assignment

Owner name: HITACHI, LTD., JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HITACHI AMERICA, LTD.;REEL/FRAME:012404/0015

Effective date: 20010725

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FEPP Fee payment procedure

Free format text: PAYER NUMBER DE-ASSIGNED (ORIGINAL EVENT CODE: RMPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FEPP Fee payment procedure

Free format text: PAYOR NUMBER ASSIGNED (ORIGINAL EVENT CODE: ASPN); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

FPAY Fee payment

Year of fee payment: 4

REMI Maintenance fee reminder mailed
LAPS Lapse for failure to pay maintenance fees
STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20150703